Solved: Just got a Trojan

mK. · 01:49 AM

I downloaded PS CS 4, scanned it with AVG 7 ( yea old ) it was clear.
When i executed setup.exe, nothing happened, than i went out of my bedroom to smoke, i was at the window, when i saw a DOS windows opening and closing, and i realize something is wrong, at the same moment i ran to my bedroom and disconnected my internet.

Ctrl Alt Del, hah
Since i am not a "newbie" i immediately google'ed the strange processes ( in my other computer ).

( yeah a little story to entertain you )

And there it is, http://www.avira.de/en/threats/secti...tumonde.b.html

ADSPY/Virtumonde.B ( or whatever is the name )

So i deleted the REG keys, later in safe mode deleted the TEMP and SYSTEM32 random 7 ( it was 8 ) characters .dll file.

Just downloaded HJTsetup.exe and scanned.

Here's the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:14:41, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Arquivos de programas\Apoint2K\Apoint.exe
C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\PidginPortable\App\Pidgin\Pidgin.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Apoint] C:\Arquivos de programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Arquivos de programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Arquivos de programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{054C7CE1-60FE-4D1E-A0CA-4D0AD27875EA}: NameServer = 10.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E42A40D-81C9-4D1D-ABE0-685C078DD453}: NameServer = 10.1.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{054C7CE1-60FE-4D1E-A0CA-4D0AD27875EA}: NameServer = 10.1.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{054C7CE1-60FE-4D1E-A0CA-4D0AD27875EA}: NameServer = 10.1.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

--
End of file - 4129 bytes

I know about the don't create "is my log clear ?" topics.

From my knowledge i think its clear. But when i restarted my computer to see what would happen 2 strange processes started, i couldn't see the name i rapidly killed it. ( so i think there might be other files in my system ) .And since i wanna be sure. Which AV you recommend me to use ( i want the one with the most probabilities to get such things ).

And what else can i use to get safe, like AV + Hijack + "?"

Be sure i will tell friends/ppl about this site. Since i heard its one of the, if not the best.

Btw, theres an file/option "checked off" at msconfig/initialize ( from the trojan like blabla.exe) is there any way to make it disappear ?

Sorry for anything.
Thanks in advance.

mK. · 06-Jul-2008, 06:34 PM #2

Problem solved.
Ty anyway.

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)